The CyberWire Daily Podcast 2.15.17
Ep 287 | 2.15.17

Nation-states or criminal gangs? Update on Polish banking attacks. And an update on RSA.


Dave Bittner: [00:00:01:00] Nation-state hacks or criminal capers? It's not always clear and sometimes it's a distinction without a difference. But in any case, many call for international norms of cyber conflict. Rasputin and Zeus waterholes and catphish. RSA is at its midpoint; we offer some of what we're hearing on the floor about false alarms, where to draw the perimeter and concerns about the Internet-of-things.

Dave Bittner: [00:00:31:23] Time for a message from one of our sponsors E8 Security. Let me ask you a question. Do you fear the unknown? Lots of people do of course, Jason, Chucky, stuff like that. But we're not talking about those, we're talking about real threats, unknown unknowns lurking in your networks. The people at E8 have a white paper on hunting the unknowns with machine learning and big data analytics that go beyond the old school legacy signature matching and human watch standing. Go to and download their white paper. Detect, Hunt, Respond. It describes a fresh approach to the old problem of recognizing and containing a threat no one has ever seen before. The known unknowns like pumpkin head with a hitcher. They are nothing compared to the unknown unknowns out there in the wild. See what E8's got to say about them. and download that white paper. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:39:13] Major funding for the CyberWire pod-cast is provided by Cylance. I'm Dave Bittner, not as usual in Baltimore but out here in the city by the other bay, San Francisco, covering our essay and offering your CyberWire summary for Wednesday, February 15th, 2017.

Dave Bittner: [00:01:55:02] Concerns about nation-state hacking continue to rise. Observers see signs that governments are making increased use of criminal gangs in operations those governments are directing, organizing or inspiring. The activities of the Lazarus Group may provide a particularly interesting example: whoever may be directing them, their crimes do seem to chime with the interests of one or two states (and the Internet is looking at you, Russia and North Korea). FireEye's Kevin Mandia counsels everyone not to expect any markedly reformed behavior from the Russian government.

Dave Bittner: [00:02:27:03] In this regard observers continue to mull Microsoft's call for international norms that would govern conflict in cyberspace: they might bear comparison with those implied by the new edition of the Tallinn Manual.

Dave Bittner: [00:02:40:03] Booz Allen Hamilton's Cyber4Sight has an interesting account of the malware used in the watering hole attacks on Polish banks and other financial institutions. Cyber4Sight notes, with commendable caution, that it's too early for attribution. Polish media initially called it a Russian attack; that's unclear - there are equally compelling signs of purely criminal activity. Although here again it's worth recalling the degree to which in many parts of the world there's significant interpenetration among security services and criminal organizations.

Dave Bittner: [00:03:11:23] There are of course more familiar banking threats, as might be expected, out in the wild. A new variant of the Zeus Trojan is out and about. The security firm Dr. Web is tracking it - and it seems only fair, for all this stick Russian institutions attract in the security space, to mention that Dr. Web is a Russian company, doing some good work on the threat front.

Dave Bittner: [00:03:33:10] Journalists and activists interested in Gulf-region migrant worker issues appear, according to Bleeping Computer, to be receiving the ministrations of an as-yet unattributed cyber espionage campaign. That campaign seems to feature catphishing organized around the social media profiles of an (apparent) young woman known as Safeena Malik, evidently the Robin Sage of this particular effort. The campaign involves long-term cultivation of targets with the eventual goal of inducing them to visit a watering hole site disguised as a Google login page, whence the victims' credentials are extracted. As is traditional in recruiting for espionage, the catphish - the false persona - professes a common interest in migrant labor laws and in "activism." Thus it might be conceived as a kind of affinity scam.

Dave Bittner: [00:04:22:21] Ransomware continues its predictable evolution. Observers note that the extortionists' preferred target sets are becoming better-defined. They're focusing their attentions on what are being called "high-value" targets, but these would be better characterized as high-payoff targets, those most likely to pay: governments, healthcare and small businesses.

Dave Bittner: [00:04:42:11] In industry news or more accurately, in industry rumor, Google is thought to be shopping for Indian cybersecurity companies.

Dave Bittner: [00:04:50:07] And in legal news, former NSA contractor Hal Martin has pled not guilty to charges he purloined, stashed and hoarded highly classified information. The probable lines of his defense have yet to emerge but it seems significant that although charged under the US Espionage Act, he wasn't charged with espionage as such.

Dave Bittner: [00:05:10:13] Some quick notes on RSA, as the conference reaches its midpoint.

Dave Bittner: [00:05:14:09] According to experts on the technical, operational and political aspects of the matter, nation-state operations in cyberspace are expected to increase. Those operations are expected to include espionage, information and influence operations, destruction or disabling of systems and data, and more complete integration with kinetic military operations. Nation-states are also expected to become coyer about how they conduct such operations. The "pullback" some observers say they see isn't conciliatory. Rather, it's a sign that states are increasingly turning to non-state actors (especially criminal groups) or front organizations. The goal isn't good world citizenship, still less peace; rather it's plausible deniability. Some speakers have expressed cautious optimism about Western states' growing ability and resolution to act effectively against cyber challenges, but no one thinks it's going to be easy.

Dave Bittner: [00:06:08:18] Security products go through natural life cycles and today's protection might not work against tomorrow's threats but there can be non-technical barriers to making a change. Steve Grobman is Chief Technology Officer for Intel Security.

Steve Grobman: [00:06:23:05] There's a psychological challenge with the products and what that is, is if you think about the way that technology typically operates in an environment, it's most defective when it's first installed and because of that there's often a motivation for security operations to choose and deploy a particular technology into their environment. But once adversaries figure out how to evade it or create counter measures, it often doesn't work nearly as effective.

Steve Grobman: [00:06:57:09] However, there's this psychological issue where the same principles who have advocated for bringing the technology in-house would need to be the ones to very quickly turn around and say it's actually not working and the right thing to do to maximize return on efficacy for environment, would be to remove it. That's very difficult for a lot of people, the managers to say, although I recommended doing a full deployment into organization last year, this year I'm recommending we remove. And that's one of the reasons we're advocating taking a platform based approach where you're looking at technologies that can much more easily be introduced into an environment and then optimized, have the right set of technologies operating in an enterprise. And that includes when things aren't as effective as they need to be from a value perspective, they can either be reduced in scope or very easily removed and leaving that operations team with a high value, high intensity, high efficacy set of technology that remains in their environment.

Dave Bittner: [00:08:20:07] That's Steve Grobman from Intel Security.

Dave Bittner: [00:08:25:02] For unsolved problems in various stages of solution, the biggest challenge still seems to be the false positive problem: too many security teams continue to be overwhelmed with chattering alerts and proliferation of point solutions isn't likely to help. The perimeter has clearly contracted to the endpoint and maybe even to the user, or to the app, and there are a number of interesting approaches to defense being offered and discussed. People continue to grapple with the security challenges posed by the Internet-of-things and there's a growing appreciation that the world of operational technology has needs that security born and bred in the world of information technology just might not be up to meeting.

Dave Bittner: [00:09:07:18] Time for a message from our sustaining sponsor Cylance. Are you looking for something beyond legacy security approaches? If you are and really who isn't, you're probably interested in something that protects you at machine speed and that recognizes malware for what it is. No matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA, their solutions scales easily and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance has revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence but it's real protection. Visit to learn more about the next generation of anti-malware. Cylance, artificial intelligence, real threat prevention. That's And we thank Cylance for sponsoring our show.

Dave Bittner: [00:10:06:21] And I'm pleased to be joined once again by Ben Yelin, he's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, as we make the transition to the new presidential administration, I think a lot of people are looking back to President Obama's legacy when it comes to civil liberties in the cyber domain. He's received a good bit of criticism when it comes to that.

Ben Yelin: [00:10:29:08] Yeah so I think a lot of people on the left of center side for the past eight years during the Obama administration, there were a group of true believers. Folks at The Intercept, the Glenn Greenwalds of the world who had said things that, despite his orientation as a liberal democrat, he's been relatively aggressive in using the surveillance state to gain national security information and people should be concerned about this. There were others on the center left who said, he's Obama, we trust him, he's not going to abuse these channels. The problem is once you create the tools, once you use the tools, they're going to get into the hands of people you're not comfortable with. And I think for those people on the center left, that would be the Donald Trump administration. And that's why I think so many civil liberties advocates were disappointed on January 12th when we found out that President Obama in one of his last acts related to surveillance had rolled back limits on the national security agencies surveillance operations.

Ben Yelin: [00:11:30:13] Previously the agency would come through the data and classify certain elements of the data before they send it to the 16 other government agencies that deal with intelligence due to the Obama administration's January 12th action. Now the raw data collected by the National Security Agency goes directly to these other intelligence agencies.

Ben Yelin: [00:11:57:01] The positive side from the perspective of the administration is that it will be easier to find the needle in the haystack. You get that entire block of raw data, it goes to all the intelligent agencies, it's going to be much easier for one of them to find something that catches their eye that can be a hint as to what a suspect is up to, what a known suspect is applying. A negative aspect of it is that it can also reveal information from people who are perfectly innocent. It's more likely that amongst that raw data you're going to have irrelevant information, information unlawfully collected or incidentally collected.

Dave Bittner: [00:12:36:06] I think the timing certainly did raise some eyebrows but obviously the President was conscious of that. What are people on the other side saying? Is it a point that the President merely handing the next administration a better set of tools to do the jobs that they're tasked with?

Ben Yelin: [00:12:53:04] I mean I think, you know, every President who's come into office, promising to curtail the power of the surveillance state, gets into office, sees the awesome power that surveillance state affords them and realizes that they're responsible for preventing terrorist attacks. And I think that's exactly what happened with President Obama, he had come in as a critic on some of the Bush administration’s surveillance practices. But by the end of his administration he was a strong believer in some of these surveillance tools. Even though he signed the USA Freedom Act, he originally had been a supporter of the bulk metadata program to collect the metadata from phone calls from almost all domestic users. He had been a supporter of foreign intelligence surveillance operations and I think at least in his view, it significantly contributed to the lack of a substantial 9/11 style terrorist attack during his administration.

Ben Yelin: [00:13:48:21] So I think he genuinely believes that these tools are important to combat terror threats and no matter who the next President is or not, knowing that these tools are valuable, he wanted to give that President at least the availability of these surveillance tools.

Dave Bittner: [00:14:06:09] Ben Yelin, thanks for joining us.

Dave Bittner: [00:14:10:12] And that's the CyberWire. For links to all of today's stories, interviews, our glossary and more, visit Thanks to all of our sponsors, for making the CyberWire possible especially to our sustaining sponsor Cylance. To find out how they can help protect you from cyber attacks visit

Dave Bittner: [00:14:27:09] The CyberWire podcast is produced by Pratt Street Media, our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, and our Executive Editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.